Hi All
We've recently got a fortigate for the office and its setup with SSL VPN working fine. I've been asked to add rules to allow external access to the PBX for softphones. I've created the firewall rules and the DNAT and SNAT but it isn't functioning. It hits the DNAT and the firewall rule, but the central SNAT rule isnt triggered when I use specific services as a filter. If I take the services off so it allows all, the access functions but the VPN access stops working.
I've searched the web and haven't found any thing that explains it to me simple enough as to how to create the rule components for this to work without stopping the VPN access. If someone can point me to a good site that can explain this or assist me with where I may have gone wrong I'd appreciate it. Firewall is behind a ISP fibre router
Firewall rule (outside interface to inside interface)
Central SNAT
DNAT
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I would personally not recommend the use of central SNAT, as it is not easy to maintain or troubleshoot.
If this has a connection to the VPN tunnels, something is probably set up wrong. VPN access stops working = the VPN tunnel is disconnected? Or no traffic flows through the tunnel? You probably need to correct the NAT for some of the services.
What I see in these images is that your policy outside>inside doesn't have "Pabx_Web" VIP as destination, in order to perform DNAT.
Using SNAT would make the traffic packets differ from the addresses contained in the SIP messages. Stop using SNAT altogether.
Of course you have to use the VIP in the policy, just declaring it will not make it effective.
I would not limit the DNAT to port tcp/8088 unless you have instructions to do so. What about RTP or SIP packets?
Dropping your SSLVPN depends on other policies not shown, and their placement in the policy table. Please supply that info as well.
Thanks for the responses. I'll take some time in the next little while and rebuild the config to remove the central SNAT. Initially it was only going to be used for VPN and nothing else so it wasnt a problem. We're moving to a cloud PBX now so I'll have some time to change things without causing too much of a problem soon
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.